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Probabilistic Survivability versus Time Modeling 


The KSC Independent Assessment (IA) Team conducts assessments as requested by a 
Customer, providing the Customer with objective, non-advocacy recommendations and 
solutions. IA Team customers include the Office of Safety and Mission Assurance (OSMA), the 
KSC Center Director, Program Managers, Chief Safety and Mission Assurance Officers, and 
other first line Directors at KSC. Assessments performed by the team cover a variety of subjects 
ranging from systemic process evaluations and technical assessments to process improvement. 
Assessments exclude any criminal investigation. 


This article summarizes three KSC assessments in which Survivability versus Time Models 
were developed as a decision-evaluation tool. The first assessment developed a mathematical 
model of Survivability versus Time for an emergency egress system at Launch Complex 39B 
(LC-39B). The second assessment used the first model to evaluate and compare various 
emergency egress systems under consideration at LC-39B. The third assessment used a 
modified LC-39B model to determine if a specific hazard(s) decreased survivability more rapidly 
than other events in the Vehicle Assembly Building (VAB). Probability distributions were 
developed for hazard scenarios to address statistical uncertainty, resulting in survivability plots 
over time. Composite survivability plots encompassing multiple hazard scenarios were also 
developed. These assessments produced a set of plots that acted as a decision-informing tool 
for the Ground Systems Development and Operations (GSDO) Chief Safety and Mission 
Assurance Officer (CSO) and GSDO Program Manager during key programmatic reviews. 


In 2012, the GSDO CSO requested that 
KSC IA perform an assessment of the LC-39B 
Emergency Egress Systems. If an emergency 
situation (e.g., fire, imminent explosion) 
developed with the Orion Crew Module or Space 
Launch System (SLS) vehicle at LC 39B during 
launch countdown, an Emergency Egress 
System (EES) would quickly transport four 
astronauts to safety. The intent of this first 
assessment (KSC IA 1207, “Crew Emergency 
Egress Survivability”) was to determine if 
survivability as a function of time to reach a safe 
location could be used to develop a Figure of 
Merit (see Figure 1) to enlighten EES design 
trade studies. By-products included a list of 
scenarios leading to emergency crew egress 
and initial estimates of the likely crew 
survivability. 
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Figure 1 A Figure of Merit 


To accomplish this task, the IA Team started by defining terms, groundrules, and 
assumptions early in the process. Death was defined as 0% survival if any of the crew members 
died before reaching a safe location. The IA Team made no assumption as to the nature of the 
Ideal EES (e.g., rail, slidewire, elevator) or a destination of a safe location (an area where the 
crew are free from the effects of a hazard). The evaluation started once all four crew members 
were on the Crew Access Arm, noting survivability at specific time intervals until a safe location 
was reached. 
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The Fault Tree Analysis (FT A) Method was used to determine which Hazard Scenarios 
would require an emergency egress. The FTA Method resulted in the simplified Fault Tree 
(soon in in Figure 2 below) which enabled the IA Team to examine all paths to establish credible 
scenarios. 
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Figure 2 Simplified FTA 

For each credible initiating event, the Likelihood of Occurrence and the Probability of 
Survival (given the initiating event occurred) were determined. The “Most Likely” value for the 
Likelihood of Occurrence was determined through data analysis and review of historical 
information or, in the absence of numerical data, via expert elicitation. Uncertainties in the Most 
Likely value were bound by Maximum and Minimum limits determined using the Error Factor 
method described in the NASA PRA Guidebook 1 . 

The "Most Likely" survivability value was bound by Minimum (“Bad Day” or everything 
working against crew surviving the hazard) and Maximum (“Good Day” or optimal conditions/not 
severe as expected) limits. These Maximum, Most Likely, and Minimum values establish the 
survivability distribution. All three survivability values were determined via team consensus, 
interviews, or consequence rating from hazard reports, or by a combination of these methods. 

To calculate the probability of survival for all credible initiating events: 

P E = likelihood of event occurring, [input in Failure Space] 

P S |e = probability of surviving if event occurs, [input in Success Space] 

Since a Failure Space Distribution should not be multiplied by a Success Space 
Distribution, P S | E needs to be converted into Failure Space, so Pdie = probability of dying, 
calculated by: 


Pdie = 1 - Psie 

P D = probability of dying due to this event, which is calculated by: 


1 Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners, NASA/SP- 
2011-3421, December 2011 
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P D = P E *P DE = P E *(1 -P SE ) 


Converting back into Success Space (Survivability): 

P s = probability of surviving due to this event, which is calculated by: 


P s = 1 - P D = (1 - (P E * (1 - P SE )) [output] 

P s aii = probability of surviving the occurrence of all Initiating Events (assumes events are 
independent), which is calculated by: 

Psal, = n (P SI ) = P S1 * P S2 * ... * Ps65 [OUtpUt] 

The @RISK software was used calculate the survivability distributions. The Latin Hypercube 
sampling method was chosen to run probabilistic simulations at 50,000 iterations in order to 
calculate the output for each time interval. The first assessment produced an Ideal EES model 
with Most Likely value bounded by a Maximum and Minimum limit. Based on the composite 
survivability, there is a soft “knee” in the curves at eight minutes (ten minutes after the egress 
order was given). As a secondary effort, the team also developed survivability estimates 
assuming the existing launch pad elevator would be used after significant hardening changes. 
Use of the upgraded launch pad elevator as the EES decreases survivability somewhat 
compared to the Ideal EES since it involves taking the flight crew past the hazard for some 
scenarios. 


The second LC-39B assessment (KSC IA 1304, “Crew Emergency Egress Comparison”) 
evaluated each emergency egress system under consideration (e.g., rail, slidewire, elevator) 
based on the astronauts’ survivability as a function of time to reach a safe location (a bunker 
inside the blast danger area or outside the blast danger area). The GSDO Program provided the 
IA Team with a study that outlined each EES route, time, distance, and safe location. For each 
EES design option, the IA Team considered 65 initiating events, rescored the survivable for 
each credible initiating event at each time interval to account for the characteristics of that EES 
transporting the astronauts to the safe location, and then calculated a P Sa n for that EES. . 


The @RISK software calculated P Sali for each EES and produced the curves shown in the 
figure of merit. Notional composite graphs of the Most Likely values for the seven egress 
methods assessed are shown in Figure 3 below: 
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Figure 3 Notional Composite Graphs of Most Likely Values 
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Results from both assessments were briefed to the stake holders, GSDO CSO and the 
GSDO Program Manager. The GSDO Program held various check point reviews leading up to 
an EES design concept down-select at the GSDO Program Control Board. Method B was 
selected as the EES design for the LC-39B. 

The third KSC assessment in which a 
Survivability versus Time Model was 
developed started in 2013 (KSC IA 1308, 

“VAB Emergency Egress Survivability 
Assessment”). As before, the GSDO CSO 
requested an assessment of the VAB egress 
routes using the same methodology 
developed for the LC 39B Assessment. For 
the VAB Assessment, the IA Team was 
asked to determine if specific hazard 
scenarios encountered in processing the SLS 
and Orion flight hardware reflected a 
survivability that decreased more rapidly than 
the other event(s). The VAB assessment 
evaluated multiple workers (~14 to 90 people) 
egressing from multiple locations from VAB 
High Bay 3, compared to the LC 39B 
Assessments, which evaluated four 
astronauts moving as a unit using a single 
egress route. Assembly and testing in the 
VAB occurs over several months and was 
divided into seven different processing 
phases, each with different time durations, 
spanning from the start of solid rocket motor 
stacking operations to SLS/Orion rollout to 
the LC 39B. Each processing phase has a 
different number of workers in multiple work 
locations. Due to the size of High Bay 3 and the distribution of workers, the High Bay was 
divided into eight different work zones (see Figure 4). Egress paths to reach an exit varied by 
work zone between approximately 30 to 180 feet. The Customer requested the time to reach an 
exit from each work zone/processing phase be assessed at eight different time intervals. 

To determine survivability for multiple personnel at various locations for a specific time, an 
Aggregate Survival Level was calculated as a weighted average based on manloading and the 
Survival Level assigned to each Zone. 

• The Aggregate Survival Level formula for an individual Initiating Event during one Phase 
and at one time interval is: 

P(SAggregate|E) = ZjL , [( £*=£) * P(S *""' e) 1 

• As outlined in the LC 39B assessment, then Psfor all Zones, one Phase, one time 
interval and Initiating Event is: 



Ps— 1 ■ Pd — (1 " (P e (1 — P(SAggregate|E)) [OUtpUt] 


4 



Thus, the VAB Emergency Egress Analysis formula for the probability of surviving all 
individual Initiating Events at the same time is calculated in success space by: 

Ps* = n (P Si ) = P S1 * P S2 * ... * P S78 [output] 

Thus, a composite scenario was developed, denoted Ps*,, which represents the probability 
of surviving all initiating events for all Phase, each time interval, and for all Zones. The @RISK 
software calculated Ps*,, and produced curves for the Maximum, Most Likely, and Minimum. 
Figure 5 represents a notational composite survivability versus time graph for the VAB 
Assessment. 
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Figure 5 Notional Composite Survivability versus Time Graph 

The results of these three independent assessments provided a series of graphs that 
formed the basis of a decision-informing tool for the GSDO CSO and Program Manager. These 
plots took into account the workforce population over a specific time period and a spectrum of 
potential hazard events weighted by the likelihood of occurrence for each event. 
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